Ddos 
A newly identified Chinese-speaking threat actor cluster, tracked as UAT-6382, is actively exploiting a zero-day vulnerability in Cityworks (CVE-2025-0994), a popular asset management platform used by local government agencies and utility providers in the United States. According to a new threat advisory from Cisco Talos, the group is using the flaw to gain remote code execution and maintain persistent, long-term access using stealthy malware implants.
“Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks… post-compromise activity involves the rapid deployment of web shells such as AntSword and Chopper,” the report states.
The exploited flaw allows unauthenticated attackers to execute commands on vulnerable Cityworks servers, hosted on Microsoft’s IIS platform. Once inside, UAT-6382 performs immediate reconnaissance using Windows commands like ipconfig, dir, and tasklist, then plants multiple Chinese-language web shells to maintain access.
“Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.”
The attackers deploy several tools, including:
- AntSword, Chopper, and Behinder web shells
- Generic file uploaders with Chinese-language messaging
- TetraLoader, a Rust-based malware loader built using the MaLoader framework
“MaLoader, written in Simplified Chinese, allows its operators to wrap shellcode and other payloads into a Rust-based binary.”
Using TetraLoader, the group injects Cobalt Strike beacons and VShell stagers into legitimate processes such as notepad.exe, dllhost.exe, and gpupdate.exe.
The Cobalt Strike payloads communicate with command-and-control servers such as:
- cdn[.]lgaircon[.]xyz
- www[.]roomako[.]com
These beacons utilize HTTPS, encoded shellcode, and obfuscation methods like netbios parameter encoding and custom headers, making detection extremely difficult.
The VShell implant is a Go-based backdoor that supports:
- File management
- Arbitrary command execution
- Screenshot capture
- Proxy tunneling
Its control panel, like other tooling in this campaign, is written primarily in Chinese, further reinforcing attribution to a Chinese-speaking threat group.
“VShell C2 panels are also written in Chinese… operators need to be familiar with the language to use the panel proficiently.”
Since January 2025, Talos has observed intrusions targeting local government networks in the U.S., specifically those managing utility services. Talos notes a clear effort by UAT-6382 to pivot to utility-related systems post-intrusion, hinting at possible state-aligned objectives.
Related Posts:
- CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
- UNC5174: Chinese Threat Actor Deploys New VShell RAT in Campaign
- Massive Scam Surge: Google Ads Fueling Fraud
- Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
- New Android Banking Trojan Targets Indian Users Through Fake Apps
Donate